Instead of no fd lookup, limit it for nodriver mode, useful to detect…

… listening ports
draios · Jan 5, 2017 · 38ecc61 · 38ecc61
1 parent 31f076f
commit 38ecc61
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 5 deletions.
diff --git a/userspace/libscap/scap-int.h b/userspace/libscap/scap-int.h
@@ -98,6 +98,7 @@ struct scap
 	void* m_proc_callback_context;
 	struct ppm_proclist_info* m_driver_procinfo;
 	bool refresh_proc_table_when_saving;
+	uint32_t m_fd_lookup_limit;
 };
 
 struct scap_ns_socket_list

diff --git a/userspace/libscap/scap.c b/userspace/libscap/scap.c
@@ -139,7 +139,7 @@ scap_t* scap_open_live_int(char *error,
 	handle->m_machine_info.reserved3 = 0;
 	handle->m_machine_info.reserved4 = 0;
 	handle->m_driver_procinfo = NULL;
-
+	handle->m_fd_lookup_limit = 0;
 	//
 	// Create the interface list
 	//
@@ -317,6 +317,7 @@ scap_t* scap_open_offline_int(const char* fname,
 	handle->m_last_evt_dump_flags = 0;
 	handle->m_driver_procinfo = NULL;
 	handle->refresh_proc_table_when_saving = true;
+	handle->m_fd_lookup_limit = 0;
 
 	handle->m_file_evt_buf = (char*)malloc(FILE_READ_BUF_SIZE);
 	if(!handle->m_file_evt_buf)
@@ -420,6 +421,7 @@ scap_t* scap_open_nodriver_int(char *error,
 	handle->m_machine_info.reserved3 = 0;
 	handle->m_machine_info.reserved4 = 0;
 	handle->m_driver_procinfo = NULL;
+	handle->m_fd_lookup_limit = 20; // fd lookup is limited here because is very expensive
 
 	//
 	// Create the interface list

diff --git a/userspace/libscap/scap_fds.c b/userspace/libscap/scap_fds.c
@@ -1373,6 +1373,7 @@ int32_t scap_fd_scan_fd_dir(scap_t *handle, char *procdir, scap_threadinfo *tinf
 	scap_fdinfo *fdi = NULL;
 	uint64_t net_ns;
 	ssize_t r;
+	uint16_t fd_added = 0;
 
 	snprintf(fd_dir_name, 1024, "%sfd", procdir);
 	dir_p = opendir(fd_dir_name);
@@ -1400,7 +1401,8 @@ int32_t scap_fd_scan_fd_dir(scap_t *handle, char *procdir, scap_threadinfo *tinf
 		sscanf(link_name, "net:[%"PRIi64"]", &net_ns);
 	}
 
-	while((dir_entry_p = readdir(dir_p)) != NULL)
+	while((dir_entry_p = readdir(dir_p)) != NULL &&
+		(handle->m_fd_lookup_limit == 0 || fd_added < handle->m_fd_lookup_limit))
 	{
 		fdi = NULL;
 		snprintf(f_name, 1024, "%s/%s", fd_dir_name, dir_entry_p->d_name);
@@ -1478,9 +1480,10 @@ int32_t scap_fd_scan_fd_dir(scap_t *handle, char *procdir, scap_threadinfo *tinf
 		if(SCAP_SUCCESS != res)
 		{
 			break;
+		} else {
+			++fd_added;
 		}
 	}
-
 	closedir(dir_p);
 	return res;
 }

diff --git a/userspace/libscap/scap_procs.c b/userspace/libscap/scap_procs.c
@@ -748,7 +748,7 @@ static int32_t scap_proc_add_from_proc(scap_t* handle, uint32_t tid, int parentt
 	//
 	// Only add fds for processes, not threads
 	//
-	if(handle->m_mode != SCAP_MODE_NODRIVER && parenttid == -1)
+	if(parenttid == -1)
 	{
 		res = scap_fd_scan_fd_dir(handle, dir_name, tinfo, sockets_by_ns, error);
 	}

diff --git a/userspace/libscap/scap_savefile.c b/userspace/libscap/scap_savefile.c
@@ -844,7 +844,8 @@ static int32_t scap_read_proclist(scap_t *handle, gzFile f, uint32_t block_lengt
 	tinfo.filtered_out = 0;
 	tinfo.root[0] = 0;
 	tinfo.sid = -1;
-
+	tinfo.clone_ts = 0;
+
 	while(((int32_t)block_length - (int32_t)totreadsize) >= 4)
 	{
 		//